AlibabaCoud: Configure Security Groups for ECS hosted MSSQL

A word of warning, this is for demonstration purposes only! To avoid introducing security vulnerabilities to your ECS instances, review the Security Group changes carefully when considering similar changes mentioned in this post.

Configure SG for connecting ECS application to ECS MSSQL

Configure ECS Security Group
– enable SG to allow port 1433 ( or whatever port the application is using)
– This is assuming your ECS instances is in a public subnet (has public IP)
– You will need to have the credentials for your SQL user

Security Group – Application server
Below shows the Security Group configurations for the application server hosting applications on port 443 and 80. Port 443 and 80 are standard globally exposed ports for HTTPS and HTTP respectively (web browsers by default use these port for HTTP).

Warning this if for demo purposes only! To minimize risk to the DB you should not expose the port 1433 in a production environment (port 1433 is only needed for remote DB. connections. The image shows the Security Group rules for the application server.

Note: Port 22 is only needed for SSH, you only need this if you plan to remote into the ECS server using SSH clients. By default all outbound trafic is ‘Allow’ and all inboud traffic to ECS is ‘Forbid’.

Security Group – Database server
Below shows the Security Group configurations for the database server hosting MSSQL on port 1433. The Security Group exposes port 1433 for inbound traffic for the IP of the application server ECS instance. This will allow the application server to communicate with the database server on port 1433.
In this demo, the application server and database server are on the same VPC. The below Security Group will also work for if you have the application server on a public subnet and database server on a private subnet. Port 22 is not needed and is shown for demo purposes only!

Warning this if for demo purposes only! To minimize risk to the DB you should not expose the port 1433 in a production environment (port 1433 is only needed for remote DB. connections. The image shows the Security Group rules for the DB. server hosting MSSQL on the port 1433.

Configuring MSSQL server
To enable remote connections to the Microsoft SQL database server, check that the SQL server has remote connections enabled. The images below show to verify this setting in MSSQL. By default, MSSQL uses port 1433, but if you use a different port, make sure that the port is forwarded in the Security Groups for remote connections.

Note: You do NOT need to configure remote SQL conections if you do not intend to connect to the DB. remotely. This is for demo purposes only, connections from the application ECS server instance does not require remote SQL connections.

You should be able to connect to the SQL DB. with a SQL user configured for remote connections from anywhere. Once you are done with MSSQL remote connections, it is best practice to remove any port forwarding that is not used from your Security Group and disable remote connections to MSSQL DB.